Not all IPA users need MS-PAC. Make it possible to globally/per-user specify which IPA users/groups should get MS-PAC generated
Add optional multivalued attribute to ipakrbprincipal objectclass in 61kerveros-ipav3.ldif
ipaAddAuthorizationdata should be a bitfield ?
If the attribute is not present will do domain default. If is 0 add no auth data (no MS-PAC no PAD in future). If it contains MS-PAC will add it. If it contains PAD will add it. MS-PAC defined as 0x01 PAD defined as 0x02 ...
Add same attribute to domain object too, it will determine the default action.
Check out #3263 too, we added a temp fix in there that needs to be backed out, once we have proper support for arbitrarily mark principal in IPA as 'do not PAC'.
Seems like a dup of #2960.
master:
ipa-4-3:
Metadata Update from @abbra: - Issue assigned to simo - Issue set to the milestone: FreeIPA 4.3.1
Login to comment on this ticket.